On Tue, Nov 27, 2018 at 3:33 PM Jonas Smedegaard <jo...@jones.dk> wrote: > > Quoting Xavier (2018-11-27 15:22:10) > > Le 27/11/2018 à 15:03, Jonas Smedegaard a écrit : > > > Quoting Xavier (2018-11-27 14:00:42) > > >> Le 27/11/2018 à 11:55, Jonas Smedegaard a écrit : > > >>> Hi Xavier and Paolo, > > >>> > > >>> Please allow me to highlight this security-related detail: > > >>> > > >>> Quoting Xavier (2018-11-26 16:29:32) > > >>>> Embedding components without following them may be a lack of security. > > >>>> I think we should have a policy for embedding: > > >>>> - components without major risks => not used in version > > >>>> - components that must be followed => declared as "group" in > > >>>> debian/watch > > >>>> - components that must be followed and used in many other packages > > >>>> => packaged separately > > >>> > > >>> Quoting Paolo Greppi (2018-11-27 10:52:37) > > >>>> With yesterday's news about the event-stream node module being pwned: > > >>>> https://github.com/dominictarr/event-stream/issues/116 > > >>>> the importance of these matters should be clear to anyone. > > >>>> Probably there is no component "without major risks", and even if it > > >>>> existed, it would be unfair to lay upon the busy maintainer the task > > >>>> of deciding if it is risky or not. > > >>> > > >>> Thanks to _both_ of you (and others in the thread) for all your work > > >>> tackling these issues. > > >>> > > >>> My point here is *not* to point fingers, but to emphasize an important > > >>> aspect of our task as (re)distributors of code: Ensure code integrity > > >>> towards our users. > > >>> > > >>> > > >>> - Jonas > > >> > > >> Thanks, so I propose this policy update - please review this: > > >> - components used only during build => not used in version > > >> (except if they inject some code) > > >> - if upstream version isn't locked on dependencies (see Jérémy remark) > > >> [or if upstream isn't serious?]: > > >> * very little component => not used in version > > >> * components that must be followed and maybe used in many other > > >> packages => packaged separately > > >> * other components => declared as "group" in debian/watch > > > > > > Sorry, I don't understand: Why not track code used during build? > > > > > > Seems you propose to systematically ignore potential upstream bugfixes. > > > > > > > > > - Jonas > > > > I was thinking to modules used to generate documentation, to test,... So > > even if there is a security issue in them, risk doesn't exist in > > published binary > > I think it is dangerous to try judge systematically and automated with > no qualitative input what has security implications and what does not!
I agree here... No more node_modules inside package. At least it will be fixed once > > - Jonas > > -- > * Jonas Smedegaard - idealist & Internet-arkitekt > * Tlf.: +45 40843136 Website: http://dr.jones.dk/ > > [x] quote me freely [ ] ask before reusing [ ] keep private > -- > Pkg-javascript-devel mailing list > Pkg-javascript-devel@alioth-lists.debian.net > https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel -- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
